win2k Restricted Groups
Results 1 to 3 of 3

Thread: win2k Restricted Groups

  1. #1
    Junior Member
    Join Date
    Sep 2002
    Posts
    12

    Unhappy win2k Restricted Groups

    I need to implement a few restricted groups in my org. My question is where should I add the restricted groups within Active Directroy. For example I want to create a restricted group for Domain Admins. Should I just assign the group to the Domain Controllers OU or should I go ahead and place it at the domain level. I am wondering how this would effect workstations since there is not a local domain admin group on workstations. Has anyone had any experience with this?


    Thanks!
    Don\'t hate the player... Hate the game!

  2. #2
    Junior Member
    Join Date
    May 2003
    Posts
    23
    Well, in Active Directory, under the domain, in Builtin there is already a group called Administrators, and in Users there are groups called Domain Admins and Enterprise Admins ...

    I believe that any user who is a member of those groups will have local admin rights on any workstation they log on from. Actually I know that is true for the Builtin group Administrators, and I believe it's true for the other two groups.

    What exactly are you meaning to accomplish with "a restricted group for Domain Admins"?

    - Qualm

  3. #3
    Junior Member
    Join Date
    Sep 2002
    Posts
    12
    By making the Domain Admins a restricted group in Active Directory it will make sure that no accounts are added or removed from this group without configuring it in Group Policy. The reason for this is because I have a help desk person who likes to add people to these groups in order to trouble shoot problems and often forgets to remove them when completed. If I make the Domain Admins a restricted group then any modifications he makes will be overwritten every 90 minutes when Group Policy is re-applied. This will also aid in defending against any attacker who tries to add a user account to a privelaged group to gain access to network resources.
    Don\'t hate the player... Hate the game!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •